An ethernet Tor box

You are without doubt already familiar with the Tor
project. The Tor
browser is
already a very handy tool to surf anonymously, but what if we had an
entire network's traffic forwarded through Tor via a special gateway?
Let's transform a tiny router in a transparent Tor proxy, a portable
Wifi access point redirecting all traffic to the Tor network!

Let's begin with a short presentation of one of my favorite hackable
network devices: the
TL-MR3020.

The portable 3G/4G wireless N router TL-MR3020 from TP-Link

Despite being marketed as a portable 3G/4G wireless N router, it
does not possess any kind of mobile telecommunication interface.
Instead, it's a very small and cheap router featuring a 802.11n
150Mbps Wifi interface, a 100Mbps ethernet port, and a USB port. It is
powered over a mini-B USB port and it has an extremely low power
consumption with an average current draw around 120mA at 5V, i.e.
600mW. Its hardware is pretty limited: an Atheros AR9331 SoC with a
400MHz MIPS processor, 32MB of RAM, and 4MB of flash memory.

The preliminary step for our Tor box is to install
OpenWRT (this example
uses Barrier Breaker) so we have a full-featured Linux system on it.
Once OpenWRT is installed, connect to its Wifi network and ssh into
the router.

Tor software is available as a package for opkg, OpenWRT's package
manager. However, the 4MB flash memory is way too small to install it,
so we need to get more space for packages installation. The easiest way
to do so is to move the root file system overlay on an external device,
e.g. a USB key.

First, format a USB key as ext4 on another computer and plug it in the
router. We can then mount the filesystem (we need to install some
packages for the proper kernel modules) and copy the overlay partition
content there:

Using tar to copy entire filesystems is always a good habit to keep
everyting intact, e.g. permissions and links. What tar actually
does here basically boils down to converting the entire filesystem in a
stream of bytes, then converting the stream of bytes in a filesystem.
Then, modify /etc/config/fstab by adding a new entry for the USB
key:

We need to add two custom iptables lines in /etc/firewall.user to
redirect DNS requests and TCP connections from the LAN to the Tor
daemon. Other kinds of traffic, for instance other protocols over UDP,
won't be routed to the WAN, and will simply be rejected. This
restrictive configuration prevents attacks like WebRTC
leak. However, don't expect
non purely TCP-based protocols like VoIP or BitTorrent to work behind
the Tor box.

Everything is now ready, let's enable the Tor daemon and reboot! For
some strange reason the daemon won't start with
/etc/init.d/tor enable, so the easiest way is to start it from
/etc/rc.local:

[...]
sleep 30&& /etc/init.d/tor start
exit0

# reboot

After a short while, you can surf through Tor with any device simply by
connecting to the Wifi network. If something is wrong, check
/var/log/tor/notices.log. Hidden services and .onion addresses
are available, of course.

Remember that you are responsible for what you do, and that anonymity
is _not_ garanteed just by using Tor. At least, be sure you're not
logged in on web services, use private mode, enable TLS whenever
possible, and stay paranoid. Just because you're paranoid doesn't mean
they're not after you!